Formal Complaint Filed Against GSA For Veiled FedRAMP Threats

A complaint has been filed with the General Services Administration’s inspector general alleging officials from the Federal Risk Authorization and Management Program, known as FedRAMP, issued veiled threats of retaliation against companies that publicly voiced concerns about problems with the cloud security certification process, MeriTalk has learned.

Steve O’Keeffe, the chairman of the FedRAMP Fast Forward Industry Advisory Group, said some companies have received calls in recent weeks from officials in the FedRAMP Program Management Office that contained veiled warnings that their Federal cloud business could suffer if they continued to take part in the industry-led effort to highlight problems with the FedRAMP program. O’Keeffe, who also serves as founder and publisher of MeriTalk, made the comments during a March 3 meeting of the Cloud Computing Caucus Advisory Group on Capitol Hill.

“Since we published the Fix FedRAMP paper, we’ve received calls from a series of CSPs who’ve noted that they’re afraid to provide criticism of the FedRAMP process for fear that the PMO will punish them for speaking up,” O’Keeffe said. “And, organizations that have participated in the program have received calls from the PMO questioning why they have engaged in the Fix FedRAMP initiative, and inferring that this participation will be bad for their FedRAMP business.”

The controversy stems from the Fix FedRAMP position paper, published Jan. 25 by the FedRAMP Fast Forward industry group. Developed over the course of 14 months and several not-for-attribution working group meetings, the paper takes a tough and honest look at the shortcomings of the FedRAMP cloud certification process and how the program has actually become a barrier to Federal agencies that are trying to move to the cloud.

“We met with the GSA PMO and gave them the opportunity to react to the draft Fix FedRAMP paper. They declined to do so, saying that providing feedback would add to the credibility of the report,” O’Keeffe said. “We actually set up this Cloud Caucus meeting as a platform for the PMO to roll out its FedRAMP 2.0 platform. But, after expressing strong interest in speaking here, GSA informed us that it was not allowed to participate. I’m still mystified by that one.”

“Reprisal is not to be tolerated,” Rep. Gerry Connolly, D-Va., co-chair of the House Cloud Computing Caucus, said during the meeting. He encouraged vendors to present any complaints or concerns to him or other members of the Caucus.

“We can be an advocate on your behalf,” Connolly said. “We can use both informal or formal ways of doing it.”

In anticipation of the Cloud Computing Caucus meeting, Rep. Ted Lieu, D-Calif., co-chair of the House Cloud Computing Caucus, contacted the GSA to ask a simple question: “Why is it (FedRAMP) so effed up?”

Lieu said he deemed a successful FedRAMP process as one in which CSP vendors: receive decisions about certification in a reasonable amount of time, have knowledge of how far an application has moved along in the process, and understand what’s coming next.

According to Lieu, GSA did not give concrete answers to the problems but said they wanted to make the process more transparent.

Matt Goodrich, director of FedRAMP, speaking last year at the CyberSecurity Brainstorm event. Some are now privately calling for his removal from that position.

The highly interactive discussion between the lawmakers, industry representatives and government IT officials lasted three hours. The meeting became contentious at times, with some from both the government and industry alluding to the need for a FedRAMP leadership change.

Launched in 2011, FedRAMP’s stated goal was to streamline the certification process for CSPs looking to provide Federal agencies cloud computing services, and to be able to easily share those certifications throughout government. But even some Federal IT officials acknowledge that the program has become more of a roadblock than an on-ramp for Federal cloud migrations.

Tony Summerlin, one of the original chief architects of the FedRAMP program, said the program today does not resemble the program he helped design five years ago.

“When we started FedRAMP, it was to facilitate people going to the cloud as soon as possible,” said Summerlin, the chief data officer and senior strategic adviser to the Chief Information Officer at the FCC. “So I knew what it was supposed to be doing, and I know what it’s doing now, which has nothing to do with its original purpose.”

I was part of the crush at the caucus meeting last week and it was revealing to hear that AT&T representative tell us that they had an agency refuse to accept their JAB cert. This is chaos and if GSA has the answers why wasn't goodrich in the room? Connolly hit the nail on the head this many folks woudnt be here if there were big problems with Fedramp. Everybodys looking for congress and OMB to provide real leadership. Steve you need to get a bigger room for the next session a lot of folks were grumbling about having to stand.

I am very puzzled at what Meritalk is doing stirring up this controversy, it appears they are attempting to take a page from the old WWF / now WWE wrestling entertainment industry to get people talking about FedRAMP. As a person who led certification of one of the first SaaS through JAB authorization a year ago, I found the program remarkably brilliant in its design using the FISMA / NIST 800-53 standards as a base and additional FedRAMP controls applied to cloud services. It just made sense, I followed the directions and phases and was able to get a complex, multi-service SaaS properly authorized in 12 months from kickoff to p-ATO. Not really sure why these (very few) other CSP's are complaining, but if they cannot meet the rigorous requirements of securing a cloud service for Federal Government use then maybe they should not be in the business of providing a cloud service for Government use. Even my non-technical business friend understands the importance of this stating "Our nations infrastructure depends on strong security controls on its cloud systems". I am quite a bit ashamed at the position Meritalk has put themselves in. I attended one of their conferences a year ago and they appeared to be in support of the program back then but now it looks like they have some personal beef and want to sabotage the leadership of FedRAMP and possibly the entire program. Very unprofessional and people that know can see right through it. I would advise a different course for your publication.

Very glad we were able to facilitate such an important IT policy discussion. And to correct the commentator above, that is all MeriTalk has done. The report is a product of the industry and government members of the FedRAMP Fast Forward Industry Advisory Council. We facilitated the meetings and put their recommendations on paper. This is not an official position of MeriTalk as a publication. The participants (government and industry) in each of the standing room only working group sessions had to remain off the record for what are now obvious reasons. I don't know anybody who doesn't support the program. What I learned from putting their recommendations into the report is that they simply want it to cost less, and work more efficiently and fairly for all. Nobody ever said kill the program. Far from it.

Speaking to the costs and wanting to cost less, can you comment Dan on which costs? There is an initial 3PAO third party auditor to procure to audit the system to its documented controls at around $120k for the first year, and then an annual assessment there after at about half that cost every year. This one seems to stand out the most, as the other costs seem to be to close gaps in security controls in the system security plan (SSP) which are required. However if this were not a cloud solution but at a government IT location, closing FISMA security gaps would still require very similar costs? Can you tell me a breakdown of these costs they are looking to reduce?
Thanks.

Regarding the previous post about costs -- I work for a CSP and have the responsibility of initiating the FedRamp process. We are a small business with 2 applications utilizing similar environments within AWS. Our process started by speaking with several leading 3PAO's - each of which gave us estimates of $250-300k just to get ready for the eventual certification assessment. They also said we should expect the annual audit to cost about $120k per year due to the enhanced assessment criteria.
FedRamp is currently a very long and expensive process.

Thank you for your insight - that is exactly what I heard at the conference on Capitol Hill. Small business has pretty much been told you can compete as long as you're comfortable with a certification price tag that could amount to 1/2 or more of your company's entire capitalization. How does a $4 million small business come up with $2 million just to become FedRAMP certified?

This makes sense on the $250-300k just to get ready, and I can understand for a small business to meet the additional security technical requirements and personnel roles to provide this can be a big undertaking, either in cloud for Federal or for building an onsite system to FISMA requirements. I think this is where the disconnect is in understanding these cost allocations. They are different for large, medium, and small companies. The good thing FedRAMP provides for SaaS/PaaS authorization is that the previously accredited IaaS can be leveraged and thus keeping controls to infrastructure down to focus on just the SaaS or PaaS controls.

"Some are now privately calling for [Matt Goodrich's] removal from that position." That's complete BS. Who? No one can lead this as effectively as Matt Goodrich. It's complicated technically, it's political, and he has to deal with the DoD. His salary should be doubled because he's irreplaceable.

$250-300K is a normal price to ready a CSP for FedRAMP. There are almost 1,000 pages of documentation required. Getting a CSP ready for FedRAMP is entirely different than doing an assessment. Assessments are much quicker.

Regarding the above comment about costs. There is always going to be a cost. If you are working to deliver a cloud solution in order to "secure" - it costs money. Let's put FedRAMP aside for a moment. If a firm has it's eye on the Fed space - in order to play you are going to have to pay. The $250-300K "to get ready" - sounds reasonable - as you will need to invest in technologies and documentation development. Your SOC 2 is not going to cut it. Most CSP's that have interest in playing have SSP's that - either do not exist - or very weak.